Text message fraud: defending your business against smishing

April 2024

In today’s digital age, businesses face an ever-growing array of cyber threats, and one that’s becoming increasingly prominent is smishing. Smishing — a blend of “SMS” and “phishing” — is a form of phishing that takes place through fraudulent text messages (SMS).

In this article, we’ll explore how smishing works, why it poses a significant threat to businesses, and most important, how businesses can protect their organizations from falling victim to these attacks.

What is smishing – and how does it work?

Smishing is text message fraud involving the use of text messages to trick individuals into divulging sensitive information or clicking on malicious links.

Much like they do in phone number spoofing, fraudsters often employ text spoofing to send you messages from a number that appears on your phone as KeyBank or another reputable company you do business with. These criminals often claim to be investigating fraudulent activity on your account.

One frequently used tactic involves a hacker saying they need to verify you as a client. They then ask you to provide your login ID, password, and one-time security code. Once provided, they have full access to your account and can transfer funds to themselves.

In another common tactic, the hacker includes a fraudulent link in the text that takes you to a spoofed website that looks virtually identical to a legitimate site, such as KeyNavigator or KeyBank Business Online. Once you attempt to sign in to the fake site, your credentials are captured. From there, the hacker will attempt to obtain your one-time passcode under the guise of “helping resolve your log-in issues" to gain full access to your account.

REMEMBER: Always pay attention to who reached out first.

When you initiate an interaction with KeyBank, we may ask for information such as the last four digits of your Social Security number, login ID, or a one-time passcode to verify your identity.

However, KeyBank will never contact you unexpectedly by phone, text, or email and ask for your full Social Security number, login ID, or other personal information if the communication was not initiated by you.

Verify these requests by contacting a known KeyBank resource such as your local branch, 1-800-KEY2YOU^®, or our Fraud Hotline (1-800-433-0124) before providing any sensitive information.

Why is smishing a concern for businesses?

Smishing tactics look deceptively legitimate.

Smishing is particularly effective because the text messages, spoofed numbers, and spoofed websites are often virtually indistinguishable from authentic ones. People trust the tactics on appearance and are falling victim at an alarming rate.

As more employees use their cellphones for work purposes, smishing is becoming a major concern for businesses. Fraudsters are increasingly using smishing to target businesses of all types, industries, and sizes — and we’ve received reports of KeyBank clients being targeted.

The monetary cost is substantial.

Experian reports that 87.8 billion smishing attacks resulted in an estimated $10 billion in consumer losses in 2021 alone.¹ And fraudsters are increasingly targeting businesses over consumers because business accounts typically provide a more lucrative payout.

In 2021, 74% of organizations experienced a smishing attack.²

With business smishing attacks on the rise, and more sizeable bank accounts at stake, the monetary risk smishing poses to businesses is immense.

Smishing can have a significant impact on a company’s bottom line — and its reputation. The best way to mitigate these damages is to avoid becoming a victim in the first place.

How to protect your business from smishing

Safeguarding your business against smishing attacks requires a coordinated effort between business leadership and all employees.

Best Practices for Business

Invest in continuous education to stay on top of emerging fraud trends.
Report any suspicious texts regarding your accounts to your financial institution immediately.
Employ a third-party expert to identify, disable, and prosecute websites impersonating your brand.
Create and enforce a policy for using personal mobile devices for business purposes.
Ensure your employees are registered for and using strong authentication (FIDO security keys, fingerprint validation, facial recognition, etc.) to sign in to online banking sites.
Remind employees to:
- Be cautious of all unexpected text messages.
- Never share sensitive information via text, including log-in IDs, passwords, or one-time passcodes.
- Verify a suspicious text immediately by calling a known phone number or contact at the business or financial institution.

Let’s work together to protect your business.

At KeyBank, we want to work alongside you and your employees to help secure your business against smishing and other forms of fraud.

We’re committed to arming you with the latest information on cybercrime and payments fraud. Visit key.com/cybersecurity to learn more. For information about KeyBank’s Core Fraud Solutions, connect with your Payments Advisor or Relationship Manager.

Waugh, Evelyn. (2022, April 22). What is Smishing? Experian.com

Cvetnarevic, Dejan. (2023, May 30). 20 Smishing Statistics to Know in 2023. Securityescape.com